3 # Licensed under the Apache License, Version 2.0 (the "License");
4 # you may not use this file except in compliance with the License.
5 # You may obtain a copy of the License at
7 # http://www.apache.org/licenses/LICENSE-2.0
9 # Unless required by applicable law or agreed to in writing, software
10 # distributed under the License is distributed on an "AS IS" BASIS,
11 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 # See the License for the specific language governing permissions and
13 # limitations under the License.
15 - name: Replace audit rules from template
18 dest: "{{ item.dest }}"
23 - {src: '10-base-config.rules.j2', dest: '/etc/audit/rules.d/10-base-config.rules'}
24 - {src: '11-loginuid.rules.j2', dest: '/etc/audit/rules.d/11-loginuid.rules'}
25 - {src: '12-filter-users.rules.j2', dest: '/etc/audit/rules.d/12-filter-users.rules'}
26 - {src: '30-stig.rules.j2', dest: '/etc/audit/rules.d/30-stig.rules'}
27 - {src: '31-privileged-gen.rules.j2', dest: '/etc/audit/rules.d/31-privileged-gen.rules'}
28 - {src: '32-power-abuse.rules.j2', dest: '/etc/audit/rules.d/32-power-abuse.rules'}
29 - {src: '33-avoid-flood.rules.j2', dest: '/etc/audit/rules.d/33-avoid-flood.rules'}
30 - {src: '34-failed-actions.rules.j2', dest: '/etc/audit/rules.d/34-failed-actions.rules'}
31 - {src: '35-umount.rules.j2', dest: '/etc/audit/rules.d/35-umount.rules'}
32 - {src: '36-resource-management.rules.j2', dest: '/etc/audit/rules.d/36-resource-management.rules'}
33 - {src: '37-linux-capabilities.rules.j2', dest: '/etc/audit/rules.d/37-linux-capabilities.rules'}
34 - {src: '41-containers.rules.j2', dest: '/etc/audit/rules.d/41-containers.rules'}
35 - {src: '42-injection.rules.j2', dest: '/etc/audit/rules.d/42-injection.rules'}
36 - {src: '43-module-load.rules.j2', dest: '/etc/audit/rules.d/43-module-load.rules'}
37 - {src: '44-certificates.rules.j2', dest: '/etc/audit/rules.d/44-certificates.rules'}
38 - {src: '50-file-changes.rules.j2', dest: '/etc/audit/rules.d/50-file-changes.rules'}
39 - {src: '51-messaging.rules.j2', dest: '/etc/audit/rules.d/51-messaging.rules'}
40 - {src: '52-sandbox.rules.j2', dest: '/etc/audit/rules.d/52-sandbox.rules'}
41 - {src: '53-kernel-parameters.rules.j2', dest: '/etc/audit/rules.d/53-kernel-parameters.rules'}
42 - {src: '99-finalize.rules.j2', dest: '/etc/audit/rules.d/99-finalize.rules'}
44 - name: Delete original audit rules
47 path: "/etc/audit/rules.d/audit.rules"
49 - name: Ask the audit log disc size
50 shell: df -BM --output=size,target | grep audit | awk '{print $1}' | tr -d 'M'
53 - name: Set the num_logs variable default value's
55 num_logs: "{{ ((disc_size.stdout|int *0.8)/100)|int }}"
58 - name: Setting the log_file_size if the audit disk size is huge.
59 when: num_logs|int > 999
62 log_file_size: "{{ ((disc_size.stdout|int *0.8)/999)|int }}"
64 - name: Change auditd config
66 path: /etc/audit/auditd.conf
67 regexp: '{{ item.regexp }}'
68 line: '{{ item.line }}'
70 - regexp: "^[ #]*num_logs"
71 line: "num_logs = {{ num_logs }}"
72 - regexp: "^[ #]*max_log_file "
73 line: "max_log_file = {{ log_file_size }}"
74 - regexp: "^[ #]*max_log_file_action"
75 line: "max_log_file_action = {{ log_file_action }}"
76 - regexp: "^[ #]*disk_full_action"
77 line: "disk_full_action = {{ disk_full_action }}"
78 - regexp: "^[ #]*space_left "
79 line: "space_left = {{ space_left_size }}"
80 - regexp: "^[ #]*space_left_action"
81 line: "space_left_action = {{ space_left_action }}"
82 - regexp: "^[ #]*admin_space_left_action"
83 line: "admin_space_left_action = {{ admin_space_left_action }}"
84 - regexp: "^[ #]*flush"
85 line: "flush = {{ flush }}"
86 - regexp: "^[ #]*disk_error_action"
87 line: "disk_error_action = {{ disk_error_action }}"
88 - regexp: "^[ #]*admin_space_left "
89 line: "admin_space_left = {{ admin_space_left }}"
91 - name: Restart Auditd service
92 command: service auditd restart
94 - name: "Add the pam_tally2.so module to the PAM sshd conf 1."
97 insertafter: '^auth[\s]*required[\s]*pam_sepermit.so'
98 line: 'auth required pam_tally2.so deny={{ host_os.failed_login_attempts | default(5) }} onerr=fail unlock_time={{ host_os.lockout_time | default(300) }}'
100 - name: "Add the pam_tally2.so module to the PAM sshd conf 2."
102 path: /etc/pam.d/sshd
103 insertafter: '^account[\s]*required[\s]*pam_nologin.so'
104 line: 'account required pam_tally2.so'